Five OpSec Best Practices to Live By

Often when we talk about security, we focus on the mechanics of how to keep technical infrastructure safe. It can be easy to forget that operational security is just as important. When done right, strong OpSec practices will keep your business safe from leaked information, competitive disadvantage, and even public embarrassment.

Without good OpSec, your business may be vulnerable to information theft via an attack surface that has little or nothing to do with computers. With that said, here’s what you need to know about OpSec today.

What is OpSec?

OpSec stands for Operational Security. Many people think of it in a military or national security context. In those realms, OpSec means understanding what your adversaries can deduce from the communications you put out, and taking steps to limit the usefulness of any information they can easily gather. For our purposes — in the world of business — when we say OpSec, we mean: “Actions taken to ensure that information leakage doesn’t haunt you.”

Similar concept, different context. OpSec in the world of business is all about making sure that information about your business that should remain private, does remain private. This article offers a helpful framework for applying OpSec principles to business. Below, we’ll explain what we’ve learned and how we share that with our own employees.

Why is OpSec So Hard?

Strong operational security is difficult because it relates to information and knowledge. More specifically, OpSec is hard because we’re all human. We have a very human desire to be seen as knowledgeable and to impress others, and this can lead us to gossip, brag, and otherwise overshare.

Often, OpSec missteps happen when folks are casually discussing something that doesn’t seem particularly sensitive, or when people forget to consider their surroundings before blurting something out. We may either be proud of the info we have access to and want to share it with others, or we may simply forget to consider our whereabouts before opening up. Either way, this type of laxity can have some pretty serious consequences.

The 5 Big OpSec Rules

To prevent these consequences as much as possible, we teach basic OpSec best practices to all new hires at Threat Stack as part of our security awareness training program. When we do this, we share five primary rules to live by when it comes to keeping our business operationally secure.

1. Remember: You Could Be a Target

We tell employees to remember that, no matter your role or function within the organization, you could be a target. This is especially true at a security company. We are a natural target for all sorts of attacks — from garden-variety cybercriminals to competitive spying (sounds dramatic, but it’s real!). That said, it doesn’t really matter what industry you’re in. If you have any sensitive, proprietary information at all (and let’s face it, most employees do), then you could very well be a target. This is a good thing to always keep in mind.

2. Remain Vigilant

We also advise employees to remain vigilant, especially in regard to unexpected communications. We typically send everything over Slack, so we tell employees that if they receive an email they weren’t expecting — for example, an urgent request for a W-2 or a wire transfer — they should proceed with caution.

Give employees an easy way to report potentially suspicious or malicious communications, whether that’s an email address they can forward things to or a Slack channel where they can ask questions. Create a culture of skepticism where they feel comfortable checking twice before clicking a link or responding to a request for sensitive information, and you’ll have a much more secure organization overall.

3. Use Technology to Keep Private Info Private

Of course, some aspects of OpSec do cross over into the more traditional “information security” realm. Specifically, we require all of our employees to enable 2-factor authentication for all services and to use a password manager like LastPass or 1Password. Two-factor authentication makes it much more difficult for cybercriminals to hack their way into your systems, and a password manager makes it far less likely that employees will use the same password for everything. Both measures are simple to implement, have a relatively low impact on workflow, and will go a long way toward keeping your business secure.

4. Watch What You Say, Where, and To Whom

OpSec often comes into play in public settings. For example, if members of your team are discussing work-related matters at a nearby lunch spot, during a conference, or over a beer, odds are that someone could overhear. As they say, loose lips can sink ships, so make sure you don’t discuss any sensitive company information while out in public. This includes:

Customer names and details

New products or plans

Intellectual property

Private news (e.g., an upcoming IPO)

Competitive strategies

etc.

Many OpSec missteps can be avoided by being more aware of your surroundings and the context in which you are speaking: what you’re saying, where you are, who you’re speaking to, and who might overhear. It’s a good idea to go over the “no-no’s” for your specific company during onboarding and to remind employees of them periodically.

5. Think Before You Post

In the age of ubiquitous internet access and rampant social media posting, it has never been easier to accidentally share information. Photos are a common source of trouble in the world of OpSec today. Take the following image, posted by the LAPD, which clearly shows their login information for Palantir (a big data solution):

Oops. The moral of the story is, think twice before you post. If you’re considering posting an image, make sure it doesn’t include any sensitive information. If you’re thinking about posting something work-related, consider how someone at another organization or a cybercriminal might interpret your post and whether they might be able to glean sensitive information. When in doubt, leave it out.

OpSec is Tough, But You Are Tougher

As with many areas of security, the key is toughening up both your technological and your human defenses. The more your team understands what operational security means and how to go about it, the less likely they are to make a misstep that could cost you a customer, leak important information, and/or get you into legal trouble.

With the five OpSec best practices above, you should be well on your way to preventing loose lips from sinking the ship — and that means smoother sailing for everyone.

As Director of Marketing, Palen is responsible for Threat Stack's lead generation and branding strategy. With over 10 years marketing experience in business-to-business, high-tech, and security markets, Palen’s customer-centric approach to marketing aims at improving the communication and relationship customers have with their vendors. Prior to Threat Stack, Palen held management positions at Procera Networks, Exinda Networks, and Astaro Internet Security (acquired by Sophos in July 2011) where he specialized in demand generation, corporate communication, and growth hacking.